Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the split utility of uutils coreutils. The program attempts to prevent data loss by checking for identity between input and output files using their file paths before initiating the split operation. However, the utility subsequently opens the output file with truncation after this path-based validation is complete. A local attacker with write access to the directory can exploit this race window by manipulating mutable path components (e.g., swapping a path with a symbolic link). This can cause split to truncate and write to an unintended target file, potentially including the input file itself or other sensitive files accessible to the process, leading to permanent data loss.
AnalysisAI
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local attackers with directory write access to manipulate symbolic links between the initial path validation and file truncation, causing data loss to unintended target files including the input file or other sensitive files. CVSS 6.3 (local, high complexity, low privilege required); SSVC assesses as non-exploitable in automated attacks but partial technical impact due to manual race window exploitation requirements.
Technical ContextAI
The vulnerability stems from CWE-367 (improper restriction of rendered UI layers or frames), manifesting as a TOCTOU race condition in file path validation. The split utility first validates that input and output file paths differ using string comparison, then later opens the output file with truncation flags. This two-step process creates a window where a local attacker with write permissions to the target directory can swap a non-symbolic-link path with a symbolic link pointing to a sensitive file (input file, system configuration, user data). The path-based check passes because the symbolic link itself differs from the input path, but the subsequent open() call with O_TRUNC follows the link and truncates the link target. CPE indicates all versions of uutils coreutils are affected.
RemediationAI
Vendor-released patch available via GitHub pull request https://github.com/uutils/coreutils/pull/11401. Update uutils coreutils to the patched version as soon as it is released. As immediate compensating control for multi-user systems where local attackers exist, disable split command execution for untrusted users via Unix access controls (chmod, sudo rules), or restrict write permissions to directories where split might be executed. This introduces usability trade-offs in shared systems. No functional workaround exists short of these access controls, as the root cause requires fixing the underlying TOCTOU logic to perform atomic validation-and-open operations or use file descriptor-based operations that prevent symbolic link traversal between checks.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated atta
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25024
GHSA-4wrp-79m8-9m9p